Basic auth prompt with kerberos enabled

Hi everyone, I have this doubt about the basic auth prompt that comes up when kerberos is enabled, basically if I do not have the kerberos ticket a basic auth prompt comes out after the redirect asking me for the domain credentials, I can only bypass this by adding the domain name into the local intranet, but this isn’t too convenient since if someone will try to access it that does not have their own pc in the domain network they will be prompted first for the domain credentials, is there a way I can disable this? Thank you very much in advance

Hello Marius, have you found a solution? We have exactly the same problem.


I am stuck on this also. There is an extensive thread in the forum here: [keycloak-user] Kerberos auth type displays basic auth prompt under Windows

Has anyone tried to modify the keycloak configuration to make this work somehow?

I was successful in creating a new custom Authenticator that subclasses SpnegoAuthenticator based on the issue described here: skip kerberos SSO authentication to use login-form · Issue #8989 · keycloak/keycloak · GitHub

In my case the non-domain workflow uses separate entry point from the domain workflow so it was as simple as adding “prompt=login” to the links we show to non-domain users.

Also, just to be sure you are not having a simpler issue, despite having a kerberos relationship I had to manually add my linux host machine for keycloak to the “IntrAnet Zone” under “Internet options” on my windows client PC.